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via a network, and permitting operation of at least a subsystem of the computer if a response 
to the network enquiry is received from the network device confirming that the network is an 

authorised network. 

\ 1 
J 

/ In at least preferred embodiments, the network enquiry is encrypted using a key 

/ 5 associated with the network, and wherein the response comprises an indication that the 

network enquiry has been correctly decrypted. The key can suitably be the public key of a 

public/private key pair associated with the network. 

The firmware element can to perform a security check as part of a boot process. 

The invention further provides a computer comprising a component as described 
10 above and a network comprising a plurality of such computers and a network device operable 
to receive a network enquiry from each computer, generate a response accordingly and 
transmit the response to the computer. 

r 

In another aspect the invention provides a method of booting a computer comprising 
v ^ a firmware demerit performing a security check to;verify that the computer is connected to an 

15 authorised network, the security check comprising; the steps of: generating a network enquiry, 
transmitting the network enquiry to a network deyice via a network, and permitting operation 
of at least a subsystem of the computer if a response to the network enquiry is received from 
the network device confirming that the network is an authorised network. 



-*^ v Thus the^dperation of the firmware component ensures the computer must be 
20 connected to an authorised network, tor example a company's network, failing which the 
operation of the computer is not permitted . 



Brief Description of the Drawing s 

Embodiments of the present invention will now be described by way of example only 
25 with reference to the accompanying drawings, wherein; 

I Figure 1 is a diagrammatic illustration of a system comprising a computer embodying 
the present invention, 

Figured is a diagrammatic illustration of the BIOS of die computer of Figure 1, and 
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COMPONENT FOR A COMPUTER 

Field of the I nvention 

This invention relates generally to the security of computer systems and, more 
particularly, to the prevention or deterrence of the theft of computers and computer 
5 components. v 

Background of the Invention 

Personal computers are a desirable and affordable commodity, arid consequently are 
vulnerable to theft. This is particularly a problem for companies and other large 
organisations which own or manage a large number of personal computers, since the 
1 0 unauthorised removal of a personal computer belonging to that company, for example, for its 
theft, may often not be specifically identified. Even where the loss of a computer is 
identified, the computer itself may not be recovered. 

Various solutions have been tried and proposed to resolve this problem. It is, for[ 
example known to provide a physical anchorage for a computer, making it difficult to 

15 physically move the computer from a location, for example by ( attaching it to a desk with a 
wire cable. In addition to such a solution, or where such ja solution is inappropriate, 
particularly in the case of laptops, a number of software packages are available such as 
CompuTrace(TM) or Lucira MobileSecure (TM). With these approaches, when the laptop is 
connected to the Internet, a hidden and compact software agent transmits a message to a 

20 computer system, attached to the Internet and owned by the package provider, identifying the 
computer, for example by sending a serial number. If a computer is stolen, its owner notifies 
the service provider. Such a system is described for instance in US Patent 6,300,863. 

y'' An aim of the present invention is to provide a new or improved deterrent to the 
theft of computers and computer systems. 

25 Summary of the Invention 

According to a first aspect of the invention, we provide a component for a computer, 
the component comprising a linnware element operable to perform a security chock to verify 
that the computer is connected to an authorised n twork, the security ch ck comprising the 
steps of: generating a network enquiry, transmitting the network enquiry to a network device 
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Figure 3 is a diagrammatic illustration of a further system embodying the present 
invention. 

Detailed Description of the Preferred Embodiments 

5 Referring now to Figure 1, a computer embodying the present invention is shown 

diagrammalically at 10. The computer 10 comprises a motherboard 1 1 comprising a BIOS 12 
in conventional manner. The computer 10 further comprises a network interface card 13 and 
a power supply unit 14 connected to a power supply 15. The network interface card 13 is 
connected via a network connection generally illustrated at 16 to a network - 
10 diagrammaticany illustrated at 17. The network 17 comprises at least one network device 18. 

The BIOS ROM 12 is shown in schematic detail in Figure 2. The BIOS 12 is 
provided with a firmware element 19. The firmware element 19 comprises a random number 
generator 20, an encryption module 21 and is provided with an encryption key 22. In a 
preferred embodiment, the encryption key 22 comprises the public key of a public/private key 
15 pair associated with the network 17 and stored on the network device 18. The encryption 
module 21 is operable to encrypt a network enquiry generated by the firmware element 19 
using encryption key 22. 

The BIOS 12 is operable as follows. On boot, the firmware element 19 performs a 
handshake operation with the network device 18. In the present example, the random number 

20 generator provides a random number with a fair random distribution having a large range of 
possible values; a 128 bit number for example. The random number acts as a signature code 
which is encrypted by the encryption module 21 using the public key 22, The encrypted 
signature code is then transmitted via the network interface, 13 to the network 17 and the 
network device 1 8. The network device 1 S is operable to decrypt the network enquiry using 

25 the private key held on the network device 18. The network 1 8 then generates a response, in 
this case comprising the random number and transmits it via the network connection 16 to the 
computer 10. The firmware element 19 compares the number received in the response with 
the random number sent in the network enquiry, and if the numbers match, the boot process is 
allowed to proceed. 

30 A valid response alternatively may not be received from the network device 18, for 

example if the computer 10 is not connected to an appropriate network, such that no response 



500110459 



ax re$u cle . u o^^i^ffo 



4 

is received after a pre-set time out period, or the computer, if connected to a network, 
receives a response which does not encode the random number, in this event, the firmware 
element 19 acts to prevent the boot process from continuing. If desired, a suitable message 
may be displa}'ed on a display screen or monitor linked to the computer 10 indicating that the 
5 boot process has been stopped because the computer 10 is not connected to the network 1 7. 

Thus, where a computer embodying the present invention is stolen, the computer is 
rendered unusable because it will not boot in the absence of a connection to the network 1 7. 
Even if separate parts of the computer, for example the RAM or the hard disk drive are used 
separately, the motherboard 1 1 will not be usable. 

10 The present example may be implemented relatively simply using known techniques. 

Establishing a network connection during a boot process is known from, for example, the 
network boot process for a Pre-boot Execution Environment (PXE) - compatible computer in 
accordance with the Wired For Management ("WfM") specification where the necessary 
operating software is provided as part of the BIOS. 

15 It will be apparent that any other handshaking or challenge mechanism may be used 

as desired, by which the network 1 7 can verify its authenticity in response to an enquiry from 
the computer 10- The network 17 ? may, for example provide a response comprising an 
appropriate identifier and the firmware element 19 may be operable to generate appropriate 
challenges in the form of enquiry messages as appropriate. 

20 The firmware element 19, although operable on boot of the computer 10, may be 

operable in other circumstances as desired. For example, where the computer 10 is booting 
from a "soft-off * operating state, for example from state S5 of the ACPI specification to state 
SO the firmware element 19 may be operable not to perform the security check. Instead, the 
BIOS 12 may be operable in conventional manner to detect when the computer 10 is booting 

25 from an unpowered state where the power connection 15 may have been removed and only 
then will the firmware clement 19 perform a security check. In this ease, the security check 
will be performed only when the computer 10 may have been unplugged, indicating that the 
computer 10 has been potentially removed from its original location. If on performing a 
security check the firmware element 19 finds that the computer 10 is still connected to the 

30 network 17 s no further check will be performed until it is detected that the computer has once 
again been disconnected from the power supply 15. The boot of the computer 10 will thus 
not in general be slowed down. 
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It will be recognised that encryption key 22 may be various reasons need to be 
changed over time. This may be achieved securely in a number of ways, for instance the 
system may be arranged so that only the BIOS may write the key 22 into tile firmware device 
and the further arranged so that it carries out a network challenge of the above-described 
5 type prior to allowing such a change, thereby requiring use of the old pubhe-private key pair 
in order to implement a new key-pair. Change of the key may be initiated by a software 
component that is not normally stored on the computer itself, but rather is normally held, for 
instance, by a company IT department. Equally, update of the key by the BIOS may be 
arranged to require a specially designed hardware tool or dongle. 

10 Where a peripheral or subsystem of a computer, such as a HDD storage device, is 

provided with firmware as a controller or otherwise, it will be apparent that the controller may 
be provided with a firmware element embodying the present invention to perform a security 
check as described hereinbefore. Such an embodiment will now be described with reference 
to Figure 3. In Figure 3, the computer is generally indicated at 110 provided with a 

15 motherboard 111 and a BIOS 112, and a network interface card 113, m like manner to the 
computer 10 of Figure 1. The network interface card 113 is connected by a network 
connection 16 to a network 17 having a network device 18 as shown in figure 1. The 
computer 110 further comprises a peripheral 130 provided with a controller 131 having a 
firmware element 1 19. In the present example, the peripheral 130 is a hard disk drive, but it 

20 will be apparent that the peripheral 130 may be any other peripheral or subsystem as desired 
as appropriate. In this embodiment, the firmware 131 is operable in like manner to the BIOS 
12 as shown in Figures 1 and 2 and as discussed hereinbefore, to generate a network enquiry. 
The network enquiry is passed to the BIOS 1 12 which transmits the network enquiry via the 
network interface card 113 to the network 17 and forwards any response from the network 

25 device 18 to the firmware 13 1. The firmware element 119 is operable in like manner to the 
firmware element 19 to generate the network enquiry, check the response and permit 
continued operation of the peripheral or prevent operation of the peripheral. 

The firmware 119 may be operable to perform a security check at any point as 
desired. For example, during the boot process, the BIOS 112 hands over control to the 
30 firmware of various subsystems of the computer 110, such as a video card and the hard disk 
drive 130. The security check may be performed at this point Alternatively, the security 
check 119 may be performed when the peripheral 130 moves to an operating state from a 
sleep state, for example from Dl or D3 to DO in accordance with the ACPI specification. 
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When the computer 10 enters a sleep state, that it undergoes a transition from SO, the BIOS 
10 will send instructions to the peripheral 130 and any other peripheral to move to an 
appropriate sleep slate, and will also send instructions to wake when the computer 10 moves 
to the SO state. The firmware element 119 may be operable to perform a security check in 
5 response to such a transition. If no valid response is received, the firmware 1 19 may disable 
the peripheral 130 such that, for example, the hard disk drive 130 will be disabled and will 
not be readable. 

It will be apparent that the embodiments of Figure 1 and Figure 3 may be combined, 
so that both Hie BIOS 112 and BIOS 131 perform a security check. It may be envisaged that 
10 any other peripherals or subsystems of the computer 10, 110 may be operable in like manner, 
such that if the computer 10, 110 is stolen, not only will the motherboard 1 1 not be operable 
but the peripherals from the computer 10, 110 will also not be separately usable. 

By providing a security check as part of a hard disk drive, this will also help reduce 
the risk of theft where a hard disk drive is removed in an unauthorised fashion and is stored 
1 5 on another computer to attempt to access the data stored on the hard disk drive. 

The network 17 in the present examples is preferably a network belonging to a single 
company or other organisation, and may be a local area network or wide area network as 
appropriate, with any appropriate network connection and protocol as desired. The network 
device 1 8 may be a server or any other device as desired. 

20 In the present specification "comprises ,, means "includes or consists of and 

"comprising" means "including or consisting of. 

The features disclosed in the foregoing description, or the following claims, or the 
accompanying drawings, expressed in their specific forms or in terms of a means for 
performing the disclosed function, or a method or process for attaining the disclosed result, as 
25 appropriate, may, separately, or in any combination of such features, be utilised for realising 
the invention in diverse forms thereof. 
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CLAIMS 

1. A component for a computer, the component comprising a firmware element 
operable to perform a security check to verify that the computer is connected to an authorised 

5 network, the security check comprising the steps of: 

generating a network enquiry, 

transmiUing the network enquiry to a network device via a network, and permitting 
operation of at least a subsystem of the computer if a response to the network enquiry is 
received from the network device confirniing that the network is an authorised network. 

10 

2. A component as claimed in claim 1 wherein the network enquiry is encrypted using a 
key associated with the network, and wherein the response comprises an indication that the 
network enquiry has been correctly decrypted. 

15 3. A component as claimed in claim 2 wherein the network enquiry is encrypted using a 
public key of a public/private key pair associated with the network. 

4. A component as claimed in claim 2 or claim 3 wherein the network enquiry 
comprises a signature code, and wherein the valid response comprises the signature code. 

20 

5. A component as claimed in claim 4 wherein the signature code comprises a random 
number, and wherein the step of generating a network enquiry comprises the step of 
generating the random number. 

25 6. A component according to any preceding claim wherein the firmware element is 
operable to perform a security check as part of a boot process. 
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7. A component according to any preceding claim being a motherboard and wherein the 
firmware comprises a BIOS, 

5 8. A component according to any one of claims 1 to 7 being a peripheral device and 
wherein the firmware element comprises a controller for a peripheral. 

9. A component as claimed in claim 8 being a mass storage device. 

10 10- A component according to any preceding claim wherein the firmware element is 
operable to perform a security check in response to a transition to an operating state. 

11. A computer comprising a component as claimed in any one of the preceding claims. 

15 12. A network comprising a plurality of computers as claimed in claim 11 and a network 
device operable to receive a network enquiry from each computer, generate a response 
accordingly and transmit the response to the computer. 

13. A method of booting a computer comprising a firmware element performing a 
20 security check to verify that the computer is connected to an authorised network, the security 
check comprising the steps of: 

generating a network enquiry, 

transmitting the network enquiry to a network device via a network, and permitting 
operation of at least a subsystem of the computer if a response to the network enquiry is 
25 received from the network device confirming that the network is an authorised network. 
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14. A method as claimed in claim 13 comprising encrypting the network enquiry using a 
key associated with the network, receiving an associated response and verifying that the 
response comprises an indication that the network enquiry has been correctly decrypted. 
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ABSTRACT 



Title: COMPONENT FOR A COMPUTER 



A component, such as a motherboard or storage device, for a computer, the 
component comprising a iirmware clement operable to perform a security check to verify that 
the computer is connected to an authorised network, the security check comprising the steps 
of: generating a network enquiry, transmitting the network enquiry to a network device via a 
10 network, and penrutting operation of at least a subsystem of the computer if a response to the 
network enquiry is received from the network device confirming that the network is an 
authorised network. 
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